A friend of mine just started a job at a security sensitive company. They've provided him with a laptop with Windows XP Professional installed. He's heard a rumor from other employees that the laptops may have key loggers installed. Is there any way for him to confirm or disprove this allegation? Will this be as simple as looking at the process tree or registry, or do these kinds of key loggers hide themselves better than that?

6 Answers
6

This would greatly depend on the implementation of the keylogger. Some enterprise-level products do include rootkits which make the keylogger nearly impossible to detect, unless you know the product in use and its configuration. For an example, check out Spector Pro*. Also, as syneticon-dj notes, it's possible they may instead be using a hardware keylogger which could be implemented in a way that cannot be easily detected by software.

If they've given your friend full admin rights on the box, they're either really confident in their monitoring and configuration control capabilities or they're fairly ignorant to the implications of giving such privileges to an end-user. Often times, it's the latter. But, if you presume the former to be the case, then you should also presume there's some solid justification for their confidence.

Regardless, it's very likely that your friend has already signed (and thereby agreed to) an Acceptable Use Policy which includes a clause that relinquishes all rights to privacy on company-owned equipment. Further, any company worried about compliance in these matters will also have a Warning Banner on the system which reminds users at each log-in that they may be subject to monitoring on those systems.

Bottom line: Don't do anything on company equipment that you don't want them to see. Always presume that they are logging keystrokes, capturing screenshots (another common spyware feature), and monitoring network traffic with the possible inclusion of an SSL proxy. Keep business on business hardware, and personal stuff on personal hardware, and you should be fine.

*Note: This is not an endorsement of Spector Pro. I have no affiliations with the company, nor have I used their product. This is simply given as an example of what sort of spyware tools are available to corporations.

Iszi gives you some very good advice in general - chances are if they're using monitoring software, they're confident in it.

Will this be as simple as looking at the process tree or registry, or do these kinds of key loggers hide themselves better than that?

Detecting keyloggers is as simple as looking in the right place (which may or may not be simple depending on your viewpoint). The problem is knowing what to look for and where. What follows is a non-exhaustive few things you could do to check for keylogging modules.

Firstly, the obvious easy way to build a keylogger is to use DLL Injection which can be achieved a number of ways. Most of these will result in a DLL showing up as mapped to the process's address space. Take a look at this picture:

What is the topmost entry in that list? It's a pyd, or python extension, file. I've been messing with python-implemented COM servers and as a result, the DLL is loaded into Windows Explorer's address space.

DLL Injection of the keylogging variety will load its DLL into all of the target address spaces - can't capture everything if you don't. So one thing to look out for would be strange DLLs you cannot attribute to products whose purpose you know. They'll show up in this list for all processes.

Of the techniques described on wikipedia, the only one that I've not seen is the CreateRemoteThread variety - I'm uncertain if the outcome would be to attach a thread to the image or execute a thread with a name DllMain. Thanks to process explorer, we can still see what threads are executing what:

Awesome, right? Well, they could well be named to coincide with the obvious user32.dll or some such. There's a number of experiments we could perform to work out if that's the case, if we so wanted. These are left as an exercise to the reader (don't you just hate it when people say that!).

So that covers user-mode-obvious-keylogger-mode. There are some less obvious places a keylogger could be embedded (but they'd unlikely be global ones). However, things get really exciting when you start talking about kernel level hooks. There's an excellent article by Mark R and Bryce Cogswell on this topic, although it needs updating with the following caveat:

64-bit Windows kernels have a kernel-patch protection mechanism that periodically checks key points in the kernel for modification and shuts the system down if they're detected.

So, if you're running 32-bit windows, you could still have some form of kernel level hooking installed and working; if you're using 64-bit it is much less likely - given KPP has been bypassed before and is constantly changing, I would bet on you being free of kernel hooks on x64 as windows updates would crash the monitoring product system periodically. Software just doesn't sell on that basis.

What can you do versus a 32-bit hook? Lots of things:

Examine the drivers folder for entries that look suspicious/cannot be attributed.

Do the same thing, but offline, so that the driver can't prevent you from looking.

Configure a debug boot entry with bcdedit (bcdedit /copy {current} /d "Windows in debug mode", bcdedit /debug {id} ON after appropriate bcdedit /dbgsettings), hook up a firewire cable (really. Don't use serial. I discovered this using serial cables - firewire's much faster). Then, on your source machine, start kd and set a break point on module loading, then step through all the modules that load, making a note of them. Not much a driver can do to hide itself from you before its started. You might even proceed to examine it from here (g to continue, ctrl+c breaks at any point).

Of course, caveats here are that no windows executables have been patched directly, or some such malfeasance that is beyond our ability to trivially detect.

That's directly looking at the system, but is no means a complete solution. If you believe the logging software is phoning home, a transparent proxy might help you identify where - i.e. you might be dialled in to vpn.mycompany.com but you might also see connections to monitorserver.mycompany.com.

As you can no doubt tell, a lot of the techniques available to you depend on two things:

Your pre-existing familiarity with your OS, or ability to quickly become familiar with what is out of place and

The ability and resource of the author to hide/disguise their modifications from you.

Short answer: there's no foolproof way to detect anything of the sort; there are however some places you can start looking for evidence.

Various disclaimers:

Investigating might be contrary to your AUP. It might also be illegal where you live.

If you try everything I suggest and turn up nothing, follow Iszi's advice, assume that any monitoring program is better than you are.

You are not likely to make any friends amongst IT Support and Sysadmins analysing their systems like this.

The security of your activity on the work laptop depends on more than just its OS - it also depends on all the hardware/software involved in the transit of that data. My point? If you're worried (not saying you are, just an example) that your employer s spying on you to determine whether you spend your day playing farmville, well, they don't need a keylogger to do that - if you're connected via their network they ought to be able to log your connections. SSL will hide the content, but not the source or destination.

In my experience, rumours of keyloggers usually turn out to be just that - rumours. However, that's based on my statistically invalid sample of one company where such a rumour existed, so, not to be relied on. Clearly, these products exist.

Excelent answer. Most suspected keyloggers are myth. There are many other simpler ways to see what you are up to without logging every key stroke you make. Nice point that keyloaggers may be hardware as well as software. See my answer here for a little history on keyloggers.
–
this.joshJan 30 '12 at 4:10

@TildalWave sure, this will work only if keylogger is installed and it's owner try to see what has been sent :) I'm pretty sure there is no way to prove that system is keylogger-free, cuz of there're just too much ways to stalker laptop user. The best decision here is simply to use company-provided laptop for company-related work only.
–
НЛОApr 9 '13 at 8:49

No idea for the downvote. I find this pretty inventive and interesting actually. Flawed like any other probing that can only prove it and not also successfully disprove it, but that should be self-understood to all that read this thread by now. I guess someone didn't get it. I deleted my first comment, I hope it didn't cause the downvote by being misunderstood as a suggestion your answer isn't helpful. That was certainly not my intention! I'll +1 to balance things, but that's obviously not a voting suggestion for others either, people should make their own minds about it.
–
TildalWaveApr 9 '13 at 17:52

Basically, there is no way to detect this other than taking the system apart and comparing to a trusted implementation.

It has been proven to be theoretically impossible to create a program which would be able to analyze an arbitrary piece of code and determine if is going to halt eventually or run forever given a particular input (halting problem), which in turn means a whole lot for scanners which are meant to determine if an arbitrary binary is going to put your machine in a particular undesirable state.

As a further complication, key loggers do not need to be software installed within your operating system - they might be a hardware component as well.

Actually, no, it hasn't. The proof of the halting problem being undecidable applies to Turing machines, not finite-state machines. Actual computers closer to finite-state machines (they have finite memory). Its trivial in theory to answer "does this halt" for a finite-state machine; run it until it either halts (answer: yes) or a state is repeated (answer: no). States are finite, so that can't go forever. A Turing machine could do that. A real computer, not so much. I'm not aware if there is proof of no better algorithm than the naïve one. </nitpick>
–
derobertJan 31 '12 at 20:46

More hardware keyloggers: amecisco.com/faq_hardwarekeylogger.htm#Q15keelog.com/hardware_keyboard_logger2.html Undecidability is a bit of a red herring though. You might not be able to prove that a heuristic scanner is reliable on all possible inputs, but that doesn't make it useless. (Though a computer with access to a net connection it can send data to and query later might be closer to a Turing machine than a finite state machine for purposes of detecting repeated states before the heat death of the Universe.)
–
armbApr 8 '13 at 13:30

well some keyloggers hide them selves very well in fact some might be like a rootkit and you should get a good antivirus program that can detect and root out rootkits and trojans and the like from the computer and it should be scanned thoroughly from a CLEAN system otherwise you might be booting up to a rootkit or other nasty things which would make the scan appear to come out clean when in fact it isn't. one good such program is the AVG Pro antivirus and antirootkit program and there are a few others that claim to do well against rootkits and all other sorts of trojans spyware worms etc... a good investment, if you don't like having somone watching over your shoulder all the time, or worse catch a rather nasty "bug"
so do a scan with something like AVG , from a CLEAN system... that should take care of any of those things I mentioned, and keep your antivirus / antirootkit software up to date as well

Good advice but it may not be practical as the computer in question is company owned equipment. Company policy and IT guidelines may disallow some or all of the methods you suggest.
–
this.joshJan 27 '12 at 23:08

+1 to @this.josh. Also, I've got a really hard time up-voting a post that has so many formatting issues.
–
IsziJan 29 '12 at 19:08